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ABSTRACT 


Statistical and probabilistic reliability methodologies 
are developed for the determination of hardware life limits 
for the Space Shuttle Main Engine (SSME). Both methodolo- 
gies require that a mathematical reliability model of the 
engine (system) performance be developed as a function of 
the reliabilities of the components and parts. The system 
reliability model should be developed from the Failure 
Modes and Effects Analysis/Critical Items List. The statis- 
tical reliability methodology establishes hardware life 
limits directly from the failure distributions of the 
components and parts obtained from statistically-designed 
testing. The probabilistic reliability methodology estab- 
lishes hardware life limits from a decision analysis 
methodology which incorporates the component/part relia- 
bilities obtained from a probabilistic structural analysis, 
a calibrated maintenance program, inspection techniques, and 
fabrication procedures. Probabilistic structural analysis 
is recommended as a tool to prioritize upgrading of the 
components and parts. 

The Weibull probability distribution is presently 
being investigated by NASA/MSFC to characterize the failure 
distribution of the SSME hardware from a limited data base 
of failures. Methods are outlined to derive a file of 
values of the shape parameter 8 of the Weibull distribution 
(i.e., "8 -bank") from failure data obtained for hardware on 
the SSME and other pump-propelled rocket engines, from 
material specimen testing, from probabilistic structural 
analysis , and from expert judgment . 

Other recommendations include the development of 
concise definitions and identification measures of the 
mechanical failure modes of the hardware in the failure data 
collection process to facilitate statistical failure data 
analysis, the calibration of failure distributions derived 
from probabilistic structural analyses with the failure 
distributions derived statistically from testing, and the 
development of a decision analysis methodology to determine 
hardware life limits when limited failure data is available. 
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1 • 0 INTRODU CTI ON 

During the Mercury, Gemini and Apollo-Saturn programs, 
NASA developed rocket propulsion systems with high reliabi- 
lity since most were expendable and maintenance could not be 
performed. Since the 1970's, however, NASA has been 
challenged with the development of the reusable Space 
Shuttle Main Engine (SSME) to be designed for 55 Shuttle 
Orbiter launches, which is 27,000 seconds of operating life. 
In launch, the three Orbiter SSMEs operate in parallel with 
the Solid Rocket 3oosters (SRBs) for approximately 2 minutes 
until SRB separation. The SSMEs then continue to burn for a 
total of about 8 minutes from launch until the Orbiter is 
near the desired orbital velocity. 

The SSME is a high performance, liquid propellant 
rocket engine with variable thrust. The SSMEs use liquid 
oxygen and liquid hydrogen propellants, which are stored in 
the External Tank attached to the Orbiter, and operate at a 
mixture ratio (LOX/LI^) of 6:1. Each SSME uses a staged 
combustion cycle to power the turbopumps with high combu- 
stion chamber pressure. First, the staged combustion 
cycle consists of partial propellant combustion in the 
preburners at high pressure and relatively low temperature. 
The propellants are then totally combusted at a high 
chamber pressure of approximately 3000 psia and a high 
temperature in the main combustion chamber (MCC) before 
expanding through the nozzle which has an area ratio of 
77.5:1. 

Each SSME produces 470,000 lbs. of thrust at rated 
power level (RPL) and is throttleable from 65 percent RPL to 
109 percent, which is full power level (FPL) and 512,000 
lbs. of thrust. The SSMEs are designed, fabricated, 
and maintained by Rockwell International/Rocketayne Division 
(RI/RD) for NASA/Marshall Space Flight Center (MSFC). 

Further descriptions and performance of the SSMEs can be 
found in Schwinghamer (1976), Johnson and Colbo (1981), 

Klatt and Wheelock (1982), McCarty and Wood (1983), and 
Ryan et al . . (1983). To date, the SSMEs have collectively 

acquired approximately 33,000 seconds of operation in 25 
launches and a total of 270,000 seconds of combined test and 
launch time. 

2 • 0 PROBLEM STATEMEN T 

The reusability requirement with minimum maintenance 
for quick turn-around time, the high operating temperatures 
and pressures, and the limited Congressional funding for the 
Space Shuttle program provide the major engineering chal- 
lenges for the design, fabrication, and maintenance of a 
highly reliable SSME. For reliability and maintainability, 
the SSME can be considered as a system composed of a number 
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of components and parts as shown in Figure 1. The terms 
"system", "components" , and "parts" will be used throughout 
this paper and are defined as follows: 

System: Group of components integrated 

to perform specific opera- 
tional function(s) . 

EXAMPLE : SSME 

Component: Collection of parts which repre- 

( Subsystem) sents a self-contained entity of 
a complete system and perform a 
function necessary to the operation 
of that system. 

EXAMPLES: High Pressure Fuel TurbooumD 

( HPFTP ) 

Main Combustion Chamber (MCC) 

Main Fuel Valve (MFV) 

: Least subdivision of a component which 

cannot be disassembled without dest^ovirc 
it. 

EXAMPLE: HPFTP: Blades, Impellers, Seals, 

Bearings, Welds, etc. 

RI/RD (1984) illustrates the SSME engine, component, and 
part configurations and gives the acronyms for the hardware 
used in this paper. A number of comDonents such as the four 
turbopumps ( LPFTP , HPFTP, LPOTP, and'HPOTP), valves, ducts, 
instrumentation, igniters, nozzles, and controllers have 
oeen designed as line replaceable units (LRUs) to facilitate 
field maintenance, automatic checkout, and internal inspec- 
tion capabilities. A number of the SSME components/Darts 
are lif e -ii m i te d due to low-cycle (LC) /thermal fatigue, 
high-cycle fatigue (HCF), and cyclic creep. One of the 
major SSME challenges to date is the auantif ication of 
reliable life limits for the SSME hardware. 

Reliable life limits for engine parts are established 
by the aircraft industry from sufficient testing of the 
components and parts . The aircraft industry develops an 
engine using the "bottom-up" approach (e.g.. Hill, 1977; 
Gibson, 1985). Extensive testing and redesign is done at 
the component /part level during the developmental phase of 
the engine to verify component /part reliability. From 
adequate testing of the parts and components, the proba- 
bility distribution of the time (or number of cycles) to 
failure of each life-limited hardware is developed. The 
hardware life limit is then determined from the" failure 
distribution to achieve a given reliability level. With 
this approach, "surprise" failures and redesign problems are 
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minimized during engine level testing and the operational 
phase. The reliability of the components, parts, and hence, 
the engine, is well-understood. 

The SSME , however, has been developed using the 
"top-down" approach. The SSME has been designed, fabricated 
and launched with relatively little developmental testing 
of the materials, components, and parts. Because of 
Congressional budgetary restraints, virtually ail testing 
has been/is being conducted at the engine (system) level. 
This approach for engine development has caused several 
significant engineering problems in quantifying life utili- 
zation of the SSME hardware: 

1. Because component/part level testing has not been 
conducted on the SSME, the reliability of the SSME 
hardware and the life limits cannot be quantified 
statistically from the failure data. For most life- 
limited hardware, none to only a few failures nave beer, 
observed. Generally, no life-limited component or part 
is used in flight if it has accumulated time greater 
than 50% of the fleet leader time of that hardware. 

What procedure should be used to establish reliable 
utilization of life-limited SSME hardware? 

2. During engine level testing and flight, 26 significant 
SSME failures have occurred due to a variety of 
different component /part failures (Vance, 1986). 

Fifteen of these failures occurred prior to the first 
launch of the SSMEs on the Shuttle Orbiter Columbia on 
April 12, 1981. Preliminary Flight Certification 

( PFC ) and Full Power Level Certification (FPLC) are 
based on accumulating 10,000 seconds on each of two 
engines for a 10-flight capacity to provide a safety 
factor of 2. Is engine testing sufficient to prevent 
the random occurrence of future SSME failures? 

3. The SSME has been designed using the factor of safety 
(FS) approach with the following values for the FS 
(RI/RD’, 1974): 

• 1.5 for ultimate, pressure only 

• 1.4 for ultimate, combined loads 

• 1.1 for yield 

• 4.0 for LCF 

• 10.0 for HCF 

• 10.0 for creep 

The FS concept, however, does not measure the reliabi- 
lity or failure probability and does not quantify the 
uncertainty associated with the SSME design parameters. 
The uncertainty associated with the SSME design 
parameters can be divided into statistical and 
nonstatistical uncertainties as follows: 
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• Statistical uncertainty (can be quantified from 
data) 

• Operating environment 

• Thermal environment 

• Pressure 

• Other design loads 

• Material properties 

• Ultimate, tensile strength 

• Compressive strength 

• S-N fatigue curves 

• Fracture-related properties 

• Dimensions (tolerances) 

• Inspection procedures 

« Nonstatistical uncertainty (associated with the 
assumptions and thermal/stress/fatigue models 
used in the structural analyses) 

How can the above uncertainties be incorporated into a 
methodology to reliably establish life limits for the 
SSME hardware? 

3.0 OBJECTIVE 


This paper proposes that SSME hardware life utilization 
should be established from a reliability methodology rather 
than from a factor of safety approach. From a reliability 
approach, the SSME hardware life limits should be determined 
from the reliabilities of the parts and components, 
and R , respectively. Two reliability methodologies are 
presented in this paper : 

1. A statistical reliability methodology 
(Quantitative reliabilities are calculated) 

2. A probabilistic reliability methodology 
(Qualitative reliabilities are calculated) 

Figures 2 and 3 outline the statistical and probabilistic 
reliability methodologies, respectively. Both reliability 
approaches require that a mathematical reliability model of 
the engine (system) be developed as a function of the 
reliabilities of the parts and components. The two methodo- 
logies differ in the procedure which is used to develop the 
reliabilities of the components and parts and to establish 
hardware life limits. 

The advantages and disadvantages of both methodologies 
are outlined in Table 1. The application of each methodo- 
logy to establish SSME hardware life limits depends on the 
available data and on the objective of the reliability 
analysis. If the objective is to quantify the hardware life 
limits to maintain a specified hardware reliability, then 
the statistical approach should be used. On the other hand, 
if limited failure data is available, then a probabilistic 
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reliability methodology should be utilized as a tool to 
establish hardware life limits from a cost-benefit analysis 
which considers the design parameters uncertainties, 
maintenance program, inspection techniques, and fabrica- 
tion procedures. 

In the statistical reliability methodology outlined in 
Figure 2, the SSME hardware life limits are determined from 
the apportioned reliabilities R and R required to achieve 
the desired SSME target reliability R w . The required 
reliabilities R and R are verified during the develop- 
mental phase of ? tne engine from statistically-designed 
testing* From sufficient testing at the part and component 
levels, the probability distribution of the time (or number 
of cycles) to failure of each life-limited part or component 
is developed. The hardware life limit is then established 
from the failure distribution corresponding to the desired 
reliability for that hardware. Hence this methodology gives 
a meaningful, quantitative assessment of the reliabilities 
of the parts, components, and hence, the SSME. 

A probabilistic reliability methodology qualita- 
tively, rather than quantitatively, assesses the reliabili- 
ties of the parts, components, and engine. The reliabili- 
ties of the SSME hardware are determined qualitatively from 
probabilistic structural analyses of the failure phenomenon 
which incorporates the uncertainty in the design parameters 
listed in Section 2. The reliability numbers genera- 
ted from this method do not have quantitative meaning except 
for hardware where the theoretical failure distribution is 
benchmarked by the failure distribution developed from 
testing. In lieu of reliabilities quantified from testing, 
probabilistic assessement of the part/ component reliabili- 
ties does give the relative reliabilities of the SSME 
hardware given the uncertainty in the respective design 
parameters. Consequently, the probabilistic structural 
analysis becomes one of several tools needed for a decision 
analysis process to quantify SSME hardware life limits as 
discussed in Section 6. 

This paper addresses the following aspects of these two 
methodologies : 

e SSME system reliability 

• SSME component/part reliabilities 

• Statistical component /part reliabilities 
e Probabilistic component /part reliabilities 

• Decision analysis methodology 


4.0 SSME SYSTEM RELIABILITY 

The performance of the SSME should be represented by a 
mathematical reliability model of the engine which sub- 
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divides the SSME into lower levels of components and parts , 
including identification of the interfaces/interactions 
among the components and parts which affect the engine 
reliability. System or SSME reliability, R^, is apportioned 
down to the level of component and part reliabilities, R 
and R^, respectively. c 

For the SSME, the logical starting point to develop the 
system performance model is the Failure Modes and Effects 
Analysis/Critical Items List (FMEA/CIL) document prepared by 
RI/RD (1984). This document identifies the potential 
hardware failures, their effects on engine and vehicle 
performance, and their ranking according to a criticality 
category. A Criticality Category 1 failure, the most 
serious, results in loss of life or vehicle (including loss 
or injury to the public) . The mathematical reliability 
model of engine performance should be initially developed 
for all Criticality Category 1 failures identified in the 
FMEA/CIL for each mission operational phase: propellant 

conditioning, engine start, mainstage, cutoff, and Dost— 
cutoff. However, further development of the FMEA/CIL report 
would be required since the mechanical failure modes, 
causes of failure, and failure rates (failure distributions) 
of the SSME hardware leading to Criticality Category 1 
failures has not been adequately developed in this document. 
The mechanical failure modes of the SSME parts of each 
component should be separated into a failure mode matrix of 
age-related and non-age-related failure modes as shown in 
Table 2 . 


A system reliability model of the SSME is proDosed to 
facilitate hardware life utilization as follows: 

• To provide, in a logical and illustrative manner, a 
thorough understanding of the complex interrela- 
tionships of all failure modes which could initiate 
SSME failure. 

• To provide a methodology to identify the sensitivity 
of SSME performance to different failure modes and 
designs . 

• To provide a mathematical tool to apportion and 
determine the reliabilities of the components/parts 
from which the hardware life can be determined. 

• To prioritize upgrading of the comoonent/Dart reliabi- 
lities. 

Mathematical reliability models of a system include 
® v ® n ^ trees, fault trees (or conversely, success trees), 
and reliability block diagrams. Conceptual, partial 
fault tree and reliability block diagrams which model SSME 
system performance are shown in Figures 4 and 5, resDective— 
ly. The fault tree would be the logical continuation of the 
FMEA/CIL study and should be developed initially for all 
Criticality Category 1 failures as assessed in the FMEA/CIL. 
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Fault tree analysis is a powerful tool to understand a 
complex system such as the SSME. In 1961, fault tree 
analysis was originated by H.A. Watson of Bell Telephone 
Laboratories to evaluate the safety of the Minuteman Launch 
Control System. Fault tree analysis is a deductive method- 
ology to determine the "basic events" (faults or failure 
modes) which could propagate to result in the undesired 
"top event", the failure of the SSME. Basic events, such 
as turbine blade failure, which could lead to a Criticality 
Category 1 failure, are represented by circles in Figure 4. 
Basic events have failure probabilities (distributions) 
assigned to them and hence represent the component /part 
failure probabilities (or conversely, reliabilities). 
Quantitative analysis of the fault tree calculates the 
probability of the top event occurring from failure informa- 
tion of the basic events. In addition, quantitative fault 
tree analysis can be used to determine the required reliabi- 
lities of the components . and parts from the target SSME 
reliability R^, which can be used to assess the hardware 
life limits of the SSME. Assessment of the reliabilities of 
the components and parts is discussed below. 

5.0 SSME COMPONENT /PART RELIABILITIES 

The most feasible approach to establish the reliability 
of a mechanical component is to break it down into the 
individual parts which can fail. The effect of each 
operational and physical uncertainty on these parts can then 
be determined to establish the mechanical failure mode(s) of 
each part. The component reliability is then a function of 
the reliabilities of the individual parts. In general 
terms, a basic mechanical failure mode can be defined as the 
physical process (es) which occur or combine their effects to 
alter the size, shape, or material properties of SSME 
hardware to make it incapable of satisfactorily performing 
its intended functions. Examples of mechanical failure 
modes include LCF, HCF , wear, cyclic creep, buckling, etc. 

If the mechanical failure modes, failure rates, and hence, 
reliabilities, of the parts are known, then the component 
reliability can be determined (Raze, Nelson, and Simard, 
1986) . 


As an illustrative example, consider that a valve 
assembly may fail due to only two failure modes: seal 
leakage (caused by wear) and a cracked connector /housing 
(caused by fatigue). If R represents the reliability of 
the seal and R. represents s the reliability of the housing, 
then the reliability of the valve, R v is given as: 

R v “ R s * (1 > 

Because the SSME has little mechanical redundancy, generally 
the reliability of the parts should be greater than the 
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reliability of the components, which in turn should be more 
reliable than the engine. 

The cumulative Weibull probability distribution 
(Weibull, 1951) has been utilized by the aircraft engine 
industry (e.g., Abernethv et al . . 1983b) to characterize 
the probability distribution of the time (or number of 
cycles) to failure of a number of mechanical failure modes 
of engine hardware. Table 3 presents preliminary documenta- 
tion of the use of the Weibull probability distribution to 
characterize the failure distributions of engine hardware 
and more generally, of mechanical failure modes such as 
LCF , HCF , wear, etc. The Weibull distribution is presently 
being implemented at NASA/MSFC to develop the failure 
distributions of SSME hardware from a limited data base 
of failures (Leath, 1986). Because reliability literature 
contains numerous references on the theory of the Weibull 
distribution, the establishment of confidence intervals, 
etc., only the engineering significance of the Weibull 
distribution will be discussed below. 

The cumulative two-parameter Weibull probability 
function, F,j,(t), of the random variable T representing the 
life (in time or number of cycles) to failure of an engine 
component or part is given as : 


F T (t) = 1 - expC-(I) 8 ] (2) 

where 


6 = Weibull shape parameter 

n = Weibull scale parameter (characteristic life) 

When the failure data is graphed on Weibull probability 
plot paper, the shape parameter g is the slope of the 
straight line fitted to the data and represents the failure 
rate of the hardware. In general, the Weibull shape 
parameter (or slope) g for the different parts comprising a 
given component will not be equal. Therefore, the compo- 
nent, or valve, reliability distribution R (or conversely, 
the failure distribution) in equation (1) will not be a 
Weibull distribution, i.e., the distribution expressing R 
wiil not plot as a straight line on Weibull paper. The V 
importance of the Weibull shape parameter g in characteri- 
zing component/part reliability is addressed below. 

The mean, or expected value, E(T) , of the Weibull 
distribution is given as: 


1 

E(T) = n r[l + j ] (3) 

where r[ j is the complete Gamma function. The coefficient 
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of variation, v , of the Weibuil distribution is given as: 


Y = - r[i + 2/sj 

* L o 

r [i + 1/8] 


13 


1/2 


(4) 


Note that v is dependent only on the Weibuil shape parameter 8 
and is independent of r\. The relationship between 8 and v 
in Equation (4) is graphed in Figure 6. As the value of 
8 increases, v decreases. Therefore, overestimation of 8 
implies a smaller value of v or "more certainty" in the 
failure mode process. If the coefficient of variation of a 
given failure mode is known, then 8 can be derived from 
equation (4). 

For a hardware life limit t_ corresponding to a 
cumulative probability of failure F (t) equal to p , 

Equation (2) can be solved for as follows: * 


t = n iln ] 1/B (5) 

(1 - P F ) 

Then the factor of safety (FS) for the mean life E[T] of the 
Weibuil distribution can be solved from Equations (3) and 
( 5 ) as : 


Factor of Safety = FS = £1211 ( 6 } 

t D 

The FS will be a function of oniy 8 (or y) and p„. The 
relationship between p w , FS, and 8 (or y) is graphed in 
Figure 7. The followihg trends noted in Figure 7 illustrate 
the sensitivity of p and FS to the estimate of 6 when per- 
forming Weibuil analysis: 

e For a given 8 , p_ decreases as FS increases . 

(A higher FS gives a lower p_) . 
e For a given FS, p g decreases as 8 increases. 
(Overestimation or 8 gives an unconservative 
estimate (too low) estimate of Pp) . 

For example, if the Weibuil distribution for a LCF failure 
mode of a specific SSME hardware has a shape parameter 8 of 
3, then the design lives selected to limit p to 0.01 and 
0.001 would correspond to values of the FS of about 4 and 9, 
respectively. 

In order to maintain a given p (or target reliability) 
of a specific hardware, the effect of 8 on the design 
life t is illustrated in Figure 8. Consider the case of 
overestimation 8 for values of p F less than 0.632. For 
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example, for a p„ of 0.001, for a value of 8 equal to 2, 
the ratio of t_/n is equal to 0.1. However, if B is 
overestimated to be 2.5, then t_/ri would be equal to 0.25, 
which would imply a design life of 2-1/2 times greater than 
the actual value. Consequently, an accurate estimate 
of the Weibull shape parameter 8 is important to realisti- 
cally quantify the reliability of a component or part. 

For values of p„ less than 0.632, it is conservative 
therefore to use an underestimated (smaller) value of 8. 

Methods to develop a file of values of the Weibull 
shape parameter 8 to assess component /part reliabilities 
for the SSME hardware are outlined in Table 4. The first 
method determines values of 8, and hence, hardware reliabi- 
lities, from failure data of the SSME or other pump-propel- 
led liquid rocket engines. The second method establishes 
value of B from data obtained from material specimen 
testing. The third method determines values of 8 theoreti- 
cally from probabilistic structural analyses of the failure 
phenomenon of the hardware. Finally, the fourth method uses 
values of 6 determined from expert judgment. For example, 
for some components it may be conservative to use a value of 8 
equal to one, which implies that the failure distribution 
follows an exponential distribution and the failure rate is 
constant. The first and third methodologies are discussed 
below. 

5 . 1 STATISTICAL COMPONENT /PART RELIABILITIES 

If considerable testing is performed at the component/ 
part level, then the probability distribution of the time 
(or number of cycles) to failure of a component or part, and 
hence 8, can be determined directly from statistical 
analysis of the failure data (method 1 in Table 4). The 
component or part can then be utilized for an operating life 
corresponding to the required level of reliability for that 
particular hardware as illustrated in Figure 2. This 
approach enables meaningful, absolute reliability values to 
be utilized in a quantitative reliability methodology. 

As failures of SSME hardware are observed in testing 
or flight, a file of values of the Weibull shape parameter 
8 ("B-bank") for different observed failure modes, ma- 
terials, and parts should be developed from the failure 
data. To provide consistency between the failure data and 
the structural analysis of a given failure mode, the 
mechanical failure modes (wear, fatigue, etc.) leading to 
SSME Criticality Category 1 failures should be identified in 
matrix form as in Table 2. Descriptive measures (inspection 
procedures) and verification methods of each failure mode 
should be incorporated into the failure data collection 
process to facilitate correct statistical analysis of the 
failure data. Much of the scatter observed in failure data 
plotted on Weibull paper is due to the mixing of the differ- 
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ent mechanical failure modes. Consequently, the data for 
the different failure modes of a given hardware must be 
Drooerly separated by physical inspection and classification 
before the statistical analysis of the failure data can be 
performed . 

Therefore, the statistical treatment of the SSME 
failure data should involve the following steps: 

• Develop a concise definition of each failure mode. 

• Develop a descriptive measure of each failure mode 
for maintenance and inspection purposes. 

• Monitor the estimates of n, 8, and the desired 
B-lives as the number of failures increases. 

• Monitor the reliability growth as the number 
of failures increases. 

• Document and verify the Weibull analysis computer 
programs and theory. 

• Document the appropriateness/procedure of 
performing Weibayes/Weibest analysis per . 

Abernethy, et al . , (1983). For example, what 

are appropriate values of 6? 

In addition, to complement the limited failure data on 
SSME hardware, values of 6 should be established from 
similar hardware on other pump-propelled rocket engines as 
recommended in method lb in Table 4. Per MacGregor (1982), 
RI/RD has obtained about 85,000 Unsatisfactory Condition 
Reports (UCRs) over the past 30 years from the development 
of" eight different pump-propeiied rocket engines (including 
the SSME), the delivery of about 2500 engines, and the 
launch of over 1000 flight vehicles. From consideration of 
failures which have occurred only during the operational 
(mature) phase of these engines, RI/RD has identified at 
least 13 common failure modes as listed in Table 5. It is 
recommended that these failure modes be further investigated 
to develop a file of 8 values to complement the values of 8 
develooed from the limited SSME failure data. It is also 
recommended that RI/RD' s data base of UCRs be investigated 
to derive values of 8 for failure modes in addition to those 
identified by MacGregor (1982). 

The use of failure data from other pump-propelied 
rocket engines must also address the possibility of varia- 
tion of the value of 6 (the failure rate) from engir.e-to- 
engine. Such variations may be due to hardware design 
differences, overall engine design variations, and variabil- 
ity in operating environments. For failure modes of 
similar hardware on different engines where sufficient 
failure data is available, the hypothesis of engine-to- 
engine variability should be tested. However, the use of 
historical failure data from similar hardware of other 
engines may lead to more reasonable hardware life assess- 
ments than assuming, for example, a constant failure rate 
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for all hardware. In addition, the values of 6 derived 
from the historical data may also be incorporated in the 
Bayesian analysis of hardware reliabilities being imple- 
mented by JPL (1986). 

5 • 2 PROBABILISTIC COMPON ENT /PART RELIA BILITIES 

Development of the component and part reliabilities 
from a probabilistic structural analysis (method 3 in Table 
4) involves the following steps: 

e Identify all the design parameters which have 
uncertainty associated with them, 
e Collect data on the variabilities of the design 
parameters . 

e Model the probability distributions of the design 
parameters . 

• Perform the probabilistic structural analysis by 
propagating these distributions through the 
mathematical model of the failure phenomena, 
e Model the probability (e.g. Weibuil) distribution 
of hardware life. 

The reliability of a given hardware is a function of 
the N random design variables representing the variabilities 
in the material, load, and structural parameters. Let X = 

f V V V \ no o TToptnf r\ 'f rioc i rrn ria'nlp nf ;=» rr i 

v •*# f «*2 * ■ • • / •*« / ~ — — — — — - * 

hardware. The performance function g(X) of the hardware 
for a given failure mode can be expressed as 

g(X) = g(X x , X 2 , ..., X N ) (7) 

The limit state, or the boundary of the failure domain, of 
the hardware may then be defined as 

g(X) = 0 (8) 

Hence , 

g(X) > 0 is the "safe state" (9) 

g(X) 4 0 is the "failure state" (10) 

A typical form of equation (10) is given by 

g(X) = L ( X) - R(X) ^ 0 (11) 

where L(X) is the load (or stress) parameter and R(X) is 
the capacity (or strength) parameter. The probability of 
failure d_ of the hardware is then defined as 

- p 

o F = P[g(X) 4 o] ( 12 ) 

Let be the joint probability function of the random 
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(13) 


design variables X, 


f X (X) “ f X , . . . ,X (X 1 ' * * ’ ,X N ) 
1 N 

Then equation (12) can be written as 
P w = \ f^(x) ax 


s - 

J g(X) s < 


(14) 


Depending on the complexity of the failure mode and the 
data available on the random design variables, the probabi- 
lity of failure (or conversely, the reliability) in equation 
(14) may be calculated by one of three probabilistic 
structural analysis methods: 


• Full distributional approach 

• Second moment method 

• Numerical techniques, such as Monte Carlo simulation 

Computation of the probability of failure from equation 
(14) is called the "full distributional" approach since it 
requires the joint probability density function of the 
random design variables. If the integral in equation (14) 
is computed exactly, then the computed probability of 
failure is exact. The exact integration, however, is 
possible only for limited cases such as certain stress- 
strength interference problems per equation (11) (e.g. 
Haugen, 1968; Ang and Tang, 1984; Witt, 1985). The second 
moment method is an approximate method which does not 
require the joint probability density function of the design 
variables but requires only the first two moments of each 
variable (e.g. Ang and Tang, 1984) . 

A number of SSME components/parts are life-limited due 
to LCF , HCF, and cyclic creep. For these failure modes, the 
relationship between the design parameters associated with 
uncertainty and the hardware life are defined' only by 
a computer program, e.t., local strain, fatigue life 
prediction, finite element stress model, etc. Consequently, 
it would be difficult to obtain a closed-form solution for 
the full distribution of hardware life. More feasibly, the 
probabilistic structural analysis must be based on a 
deterministic methodology, by considering the input design 
variables to be random rather than deterministic and 
propagating the random variables through the structural 
analysis via numerical techniques. 

Monte Carlo simulation is the most widely-used numeri- 
cal technique to construct the failure distribution. While 
Monte Carlo simulation can be used to solve virtually any 
reliability problem, a major disadvantage of this methodo- 
logy has been the expense required to carry-out the neces- 
sary computations. Johnson, Maxwell, and Allred (1975), 
Johnson and Maxwell (1976), and Maxwell and Johnson, (1977) 
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limit the number of simulations required for a complete 
structural analysis algorithm by developing an interpolation 
function which represents the dependent failure mode 
parameter (such as stress or life) as an explicit linear or 
nonlinear function of the design parameters. Presently for 
selected SSME hardware, Monte Carlo simulation is being 
implemented by the Jet Propulsion Laboratory (JPL) (1986) 
with the complete structural analysis procedures to derive 
the probability distributions of the Weibull parameters 
(B,ti). 


For the SSME, probabilistic structural analysis of the 
components/parts should be used as follows: 

• To acquire a better understanding of the effects of 
uncertainties of the material properties, thermal 
environment, etc. on the determination of hardware 
life limits. 

• To qualitatively assess component /part reliabilities 
when failure data is not available. The qualitative 
reliabilities are then used to prioritize upgrading 
the hardware in a decision analysis methodology to 
establish hardware life limits. 

• To calibrate structural analysis procedures with the 

failure data. The objective is for the probabilistic 
structural ana 1 1 s nf 3 cjivsn fsilurs medic to 

predict the same Weibull distribution of hardware 
life as statistically derived from the failure data. 

6.0 DECISION ANALYSIS METHODOLOGY 

Because testing at the component /part levels has not 
been conducted, the determination of hardware life limits 
for the SSME becomes a decision analysis problem. The 
decision analysis process should be a cost— benefit analysis 
which establishes hardware life limits from the following 
sources : 

• The validity of hardware life limits realized from 
the probabilistic structural analysis 

• The inherent reliability being achieved by the 
maintenance program, inspection procedures, fabrica- 
tion procedures, and quality control 

Until the component /part reliabilities generated from a 
probabilistic structural analysis are verified with reliabi- 
lities generated from failure data, the reliability of the 
SSME hardware, and hence, the life limits, will have to be 
qualified by a maintenance program calibrated to prevent 
functional failures from occurring. 

The relative part /component reliabilities, determined 
from the probabilistic structural analysis and aggregated 
through the system performance model , can be used to 
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prioritize which hardware should be upgraded. The upgrading 
of a particular hardware should consider the following 
alternatives and the expected costs/benefits: 

• Conduct testing 

• To improve information on material properties 

• To improve information on the operating 
environment 

■ To imorove information on coiT?on?nt/P 3 ?t 
reliabilities 

• Modify the design 

• Improve maintenance/ inspect ion procedures 

• Improve fabrication procedures 

7 • 0 RECOMMENDATI ONS 

In summary, the following recommendations should be 
implemented for the management of SSME hardware life 
utilization: 

e Identify and define descriptive measures of the 
mechanical failure modes of all SSME hardware 
for use in maintenance, inspection, and statistical 
failure data analysis. 

e Develop a mathematical reliability model of the SSME 

(e.g. fault tree analysis) from the FMEA/CIL Criticality 
Category 1 failures. 

• Develop a file of values of the Weibull shape parameter 
6 to model the failure distributions of SSME hardware. 

• Calibrate failure distributions (Weibull parameters) 
developed from probabilistic structural analysis with 
failure distributions statistically derived from testing. 

• Develop a decision analysis methodology to determine 
hardware life limits when failure data is not available 
which incorporates the following: 

• Expected costs 

• Probabilistic structural analysis 

• Maintenance/ inspect ion procedures 

• Fabrication procedures 



Figure 1 . Relationship between parts, components, and system of SSME. 
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Conduct Part/Component Level Testing 
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Figure 4. Partial conceptual fault tree of SSME. (Ducts, valves, 
controller, etc. not shown. Transfer events not 
developed.) 



Figure 5 . 

Partial conceptual 
reliability block 
diagram of SSME. 
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COEFFICIENT OF VARIATION 

Figure 6 . Coefficient of Variation vs. Shape Parameter 6 for the Weibull 
-r Distribution 



Figure 7. Factor of Safety 
~~ vs. Probability 

of Failure as a 
Function of Shape 
Parameter 3 for 
the Weibull 
Distribution 
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Figure 8. Shape Parameter 8 vs. Ratio of Design Life T D to Characteristic 

— L: j.f e n as a Function of the Probability of Failure pp for the 

Weibull Distribution 
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For the controller failure data Weibull Models fits 
well. The MTBF assuming censored Weibull Model is 1,448 
hours. If one uses simple Exponential Model, MTBF is 881. 
^ * s advisable to use censored models which take into 
account the time for the units which did not fail. The B1 
life using Weibull Model is 197.5 hours. 

For SSME blade failures using grouped Weibull Model 
MTBF obtained is 27.69 hours. The variances of the 
estimators are also obtained for the parameters in MTBF. 
The B1 life is 2.16. The drawback of the method is that 
to find the estimators one needs to solve two simultaneous 
nonlinear equations. Alternatively the randomly placed 
model can be used. For this method MTBF is 17.32 hours and 
B1 life is 1.5 hours. This method depends on seed numbers 
used in the random number generators so it is better to 
make number of runs with different seed points and average 
the results. 


Other models like Gamma Model may give the better fit 
for controller failure data. The maximum likelihood 
estimating equations involve incomplete gamma functions 
solving these equations need sophisticated programming 
techniques. These problems need further investigation. 
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TABLE 3 


APPLICATIONS OP WE I BULL DISTRIBUTION FOR FAILURE MODE ANALYSIS 
_ (PRELIMINARY LIST) 


Application 

■Bearing failures in a fighter . . . 

anrrinA aimmontDr* ‘T foonUTTTD : 

a 1 

Weibull shape parameter 8 of 
4.615 (final value) 

■General classification of Weibull 
failure modes: 


Failure Mode _i 

Infant Mortality <1 


Inadequate Burn-in 

Green Run 

Misassembly 

Some Quality Problems 

Electronics 

Random Failures 1*0 

Independent of Time 
Maintenance Errors 
Electronics 
Mixture of Problems 


Early Wear out 3.0 

Surprise 

LCF 

Rapid, Old-age Wearout 6.0 

Bearings 

Corrosion 

■ RB-211 Engine Weibull Shape . . 

Module Parameter 8 


I.P. Compressor 0.7, 3.08 

Intermediate Case 3.068 

H . P . Compressor and 

Turbine 2.206 

I. P. and L.P. Turbine .. 1.355, 3.5 
High-Speed External 

Gearbox 2.85 


Reference 
Abernethy, Meal in, 
ana Ringhiser 
(1983) 


Abernethy, Medlin, 
and Ringhiser 
(1983) ; 

Abernethy, Breneman, 
Medlin, and Reinman 
(1983) 


Blundell and Beard 
(1985) 
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TABLE 3 (CONT'D) 


APPLICATION 

■Titanium-6-Al-4V alloy 

engine discs, LCF failures at 
bolt holes, values of Weibull 
shape parameter 6 of 2.0 and 3.2 


■Wearout of augmentor hydraulic 

fuel pumps on fighter aircraft: 

Weibull shape parameter B of 2.6. 
Housing cracks of augmentor hy- 
draulic fuel pump on fighter aircraft: 
Weibull shape parameter 8 of 2.9 


■Probability distribution associated . 
with Weibull shape parameter 8: 

Weibull Shape 


Distribution Type Parameter 8 

Exponential 1.0 

Rayleigh 2.0 

Lc^ncrnicil 2-5 - 3 ; 0 

Normal 3.0 - 4.0 

Small Extreme Value > 10.0 


■Weibull distribution used for LCF .. 
crack initiation life of gas turbine 
engine disc 

■ Air Turbine Starter : 


Weibull Shape 


Failure Mode Parameter 8 

Ball Bearing Fatigue 2.0 

Roller Bearing Fatigue 1.5 

Bearing Infant Mortality ...... 0.5 

Gear Fatigue 2.5 

Seal Random Failures 1.0 

Seal Infant Mortality 0.5 

Clutch Random Failures 1.0 


■ Application of Weibull 

probability distribution to model 
fatigue data. 


REFERENCE 

Mahorter, London, 
Fowler and 
Salvino (1985); 
Mahorter, Fowler, 
and Salvino (1985) 

Med 1 in and 
Elsaesser (1983) 


Saizman and 
Gauger (1986) 


Sattar and 
Sundt (1975) 


Trimble and 
Schmidt (1983) 


Wirsching (1981); 
Fatigue Reliabi- 
lity: Development 
of Criteria for 
Design (1982) 
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TABLE 4 

METHODS TO DEVELOP WEIBULL SHAPE PARAMETER 6 F ILS 

FOR SSME HAR DWARE 

YT From test/f light data of engine hardware 

a. SSME 

b. Other liquid rocket engines which are pump- 
propelled (Assumption: Similar operations 
and similar component /part configurations 
should have similar values of 8). 

• j-2 engine in Saturn lb and V vehicles (153)' 

• H-l engine in Saturn lb vehicle (294) 

• F-l engine in Saturn V vehicle (35) 

• RS-27 engine in Delta vehicle (69) 

• Thor engine in Thor vehicle (524) 

• Atlas engine in Atlas, Atlas-Centaur 
vehicles (1110) 

2 . From test data on material specimens of engine 
hardware 

3. From probabilistic structural analysis 

4 . From expert judgment 

1 Approximate number of engines developed per MacGregor 
(1982) . 


TABLE 5 

OCCURRENCE OF FAILURE MODES IN PUMP- PROPELLED LIQUID ROCKET ENGINES 1 


FAILURE MOOi Df SCmrriON 

COOLANT PASSAGE LEAKAGE 
JOINT LEAKAGE: 

A. HOT GAS 

B. PROP. A LUBE HYDR. 

HIGH TORQUE. T/P 
CRACKED TURBINS BLAOES 
CRACK— CONVOLUTIONS BELLOWS 
LOOSE ELECTRICAL CONNECTORS 
BEARING DAMAGE 

TUBE FRACTURE 
TURBOPUMP LEAKAGE 
VALVE FAILS TO PERFORM: 

A. MOISTURE. ICE 
8. CONTAM/FRICTtON 
INTERNAL VALVE LEAKAGE: 

A. CONTAMINATION 

B. COMPRESSION OF SPRING 

C. VIBRATION SEAT 

D. TRAPPED PRESSURE 
REGULATOR DISCREPANCIES 

CONTAMINATED HYOR. CONTR. ASSY 

TOTAL ENGINE 



’per MACGREGOR (1882) 
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